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I Abstract. This paper presents a novel theoretical framework for the state space 

■ reduction of Kripke structures. We define two equivalence relations, Kripke mini- 
mization equivalence (KME) and weak Kripke minimization equivalence (WKME). 

O , We define the quotient system under these relations and show that these rela- 

■ tions are strictly coarser than strong (bi)simulation and divergence-sensitive stut- 
ter (bi)simulation, respectively. We prove that the quotient system obtained under 
KME and WKME preserves linear-time and stutter-insensitive linear-time prop- 
erties. Finally, we show that KME is compositional w.r.t. synchronous parallel 

' composition. 
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. 1 Introduction 

00 

j- . Model checking Kripke structures (KSs) suffers from the well-known state-space 

' explosion problem where the number of states grows exponentially in the number of 

. parallel components. Abstraction techniques based on equivalence relations reduce the 

state space of KSs, by aggregating equivalent states into a single state. The reduced state 
CsJ . space obtained under an equivalence relation, called a quotient, can then be used for 

analysis provided it preserves a rich class of properties of interest. For KSs, one usually 
distinguishes between linear-time and branching-time equivalence relations ll33l . The 
standard example of a linear-time equivalence is trace equivalence 1171291321 . Infor- 
^ . mally, two states are trace equivalent if the possible sequences of words starting from 

■ these states are the same. Several extensions of trace equivalence have been proposed, 

e.g., failure semantics and readiness semantics fl6ll8ll2ll 1I25I27I3I28I35II . In the weak 
setting, stutter trace equivalence has been proposed where a pair of sequences are con- 
sidered to be equivalent if they differ in at most the number of times a set of proposi- 
tions may adjacently repeat [19] . Checking trace equivalence is PSPACE-complete. In 
branching-time semantics, various relations on KSs have been defined such as strong 
and stutter variants of bisimulation and simulation pre-orders 12212612 II 15I7I34 V Strong 
bisimulation and divergence-sensitive stutter bisimulation coincide with Computation 
Tree Logic (CTL*) and CTL* /q, respectively 171131 . Strong simulation agrees with a 
"preorder" on the universal (or existential) fragment of CTL fSl. Several papers report 
data showing that bisimulation minimization can substantially reduce the state-space of 
models to be verified 1121 141 . The use of simulation relations for abstraction has been 



studied in, e.g., 181912011 . Unfortunately, (stutter) (bi)simulation is too fine, and it is of- 
ten desirable to obtain a quotient system smaller than (stutter) (bi)simulation such that 
properties of interest are still preserved. This is particularly important if the proper- 
ties to be verified belong to the class of (stutter-insensitive) linear-time properties, e.g. 
safety properties, liveness properties and in general (stutter-insensitive) w-regular prop- 
erties. These properties can be expressed using temporal logics such as Linear Temporal 
Logic (LTL) 21, Property Specification Language (PSL) |lj and semi-extended PSL 
(siPSL) flOl . 

In this paper our focus is on Kripke minimization equivalence (KME) that allows 
for a more aggressive state space reduction than strong (bi)simulation. In the weak set- 
ting we define weak Kripke minimization equivalence (WKME) such that state space 
reduction under WKME can potentially be much larger than for divergence-sensitive 
stutter (bi)simulation. Whereas bisimulation compares states on the basis of their direct 
successors, KME considers a two-step perspective. Two states s and s' are KME equiv- 
alent if for each pair of their direct predecessors it is possible to directly move to any 
equivalence class via the equivalence class [s] — \s'\ . The main principle is captured 
in Fig. 1 where only those states can be merged into equivalence class C for whom Sp 
and Sp can reach equivalence classes D and E via C and this should hold for each pair 
of predecessors of C. Intuitively, each predecessor of C should reach the same set of 
equivalence classes in two steps via C. In Fig. 1 it may be possible that some of these 
predecessors have only one successor in C while others have multiple successors in C. 
For WKME, we abstract from stutter steps and thus each predecessor of C should reach 
the same set of equivalence classes in two or more steps such that all extra steps are 
taken within C. 




Fig. 1. Kripke minimization equivalence 



Contributions. The main contributions of this paper are as follows: 

- We provide a structural definition of KME on KSs, define the quotient under KME 
and show that KME is strictly coarser than strong (bi) simulation. 

- We show that linear-time (LT) properties defined over infinite words are preserved 
under KME quotienting. 



- In the weak setting, we provide a structural definition of WKME on KSs, define the 
quotient under WKME and show that WKME is strictly coarser than divergence- 
sensitive stutter (bi)simulation. 

- Next, we prove that stutter-insensitive LT properties defined over infinite words are 
preserved under WKME quotienting. 

- Finally, we show that KME is compositional w.r.t. synchronous parallel compositon 
(SCCS-like parallel composition 1231 ). 

The theory presented in this paper forms the basis for developing an efficient algorithm 
that can obtain quotient systems that are smaller than (stutter) (bi)simulation. This is 
particularly helpful in situations where several components have to be combined using 
synchronous parallel composition 1231 . as KME based reduction can be applied at each 
step of the iterative composition. Both KME and WKME defined in this paper can be 
seen as state space reduction techniques induced by trace equivalence and stutter trace 
equivalence, respectively. 

Related work. In the stochastic context, T-Lumpability has been defined over sequential 
Markovian process calculus (SMPC) ||5|. T-LumpabiUty is defined using four process- 
algebraic axioms, and allows for a more aggressive state space aggregation than or- 
dinary lumpability. In 13TI a novel structural definition of weighted lumpability (WL) 
has been provided on continuous-time Markov chains (CTMCs) that coincides with T- 
Lumpability. For WL it has been proved that probability of properties specified using 
deterministic timed automaton and metric temporal logic are preserved under WL quo- 
tienting. Recently, the notion of WL has been extended to discrete-time Markov chains 
(DTMCs) and the preservation result for probability of w-regular properties has been 
established f30l. Our definition of equivalence for strong case, i.e., KME here builds on 
that investigated in illj for CTMCs. 

Organisation of the paper Section 2 briefly recalls the basic concepts of KSs. Section 
3 defines Kripke minimization equivalence and discusses the preservation of LT proper- 
ties under KME quotienting. Sections 4 defines weak Kripke minimization equivalence 
and discusses the preservation of stutter-insensitive LT properties under WKME quo- 
tienting. In section 5, we prove that WPE is compositional w.r.t. synchronous parallel 
composition. Finally, section 6 concludes the paper. 

2 Preliminaries 

This section recalls the basic concepts of Kripke structures with a finite state space. 
Definition 1 (KS). A Kripke structure (KS) is a tuple IC — {S, AP, L, sq) where: 

- S is a non-empty finite set of states, 

- — )-C S X S, is a transition relation s.t. Vs G S3s' G S with (s, s') €— 

- AP is a finite set of atomic propositions, 

- L : S ^ 2^^ is a labeling function, 

- So & S is the initial state. 



For simplicity, we write s — > s' instead of (s, s') G — Let s G 5 and CCS, then 
Post{s, C) ^ {s' eC \ s-> s'}. Let Post{s) = {s' e 5 | s -> s'}. For CCS*, let 
pred{C) = {s' \ 3s e C.s' -> s}. 

Definition 2 (KS patlis). Lef IC ~ {S, AP, L, sq) be a KS. An infinite path tt in K. 
is an infinite state sequence, i.e., sq — > si — > S2 • ■ • G 5*" with Si G S. 

Note that, since we do not allow KS IC to have terminal states, i.e., which do not have 
any outgoing transitions, we only consider infinite paths (starting from the initial state). 
Let Paths'^ (sq) denote the set of all infinite paths in IC that start in sq. For infinite path 
TT and any i G N, let 7r[i] = Si, the (i + l)-st state of tt. Let 7r[j...] denote the suffix of 
path TT starting in the {i + l)-st state. 

Definition 3 (KS traces). Let IC = {S, — !>, AP, L, sq) be a KS. The trace of an infinite 
path TT = So — > si — > S2 • • ■ e S"^ « trace{Tr) = L{so)L{si)L{s2) . ■ . E {2^^)'^. 

Intuitively a trace of an infinite path is the infinite sequence of sets of atomic proposi- 
tions that are valid in the states of the path, i.e. an infinite word over the alphabet 2^^. 
Let Traces'^ [sq) denote the set of all infinite traces in IC that start in so- 

Definition 4 (Trace-equivaient patfis). Let IC = (S, AP, L, sq) be a KS and tt^ g 

Paths^{so), i — 1,2. tti and'K2 are trace-equivalent, c/enofecZ/jy 7riA7r2, //'L(7ri[i]) = 
L{-K2[i\) for all i > 0. 

Definition 5 (Stutter step). Transition s — > s' in Kripke structure IC = {S, — >, AP, L, sq) 
is a stutter step if L{s) = L{s'). 

The notion of stuttering is lifted to paths as follows. 

Definition 6 (Stutter-equivalent patlis). Let K = {S, AP, L, sq) be a KS and 

TTi G Paths^{s{i), i = 1,2. tti and tt2 are stutter-equivalent, denoted by tti = n2, 
if there exists an infinite sequence AqAiA2 . . . with A^ C AP and natural numbers 
no,ni,n2, . . . , mo,mi,m2, . . . > 1 s.t. 

traceliTi) ^ Aq . . . Aq Ai . . . Ai A2 . . . A2 . . . 

710 — times ni — times 712— times 

trace{TT2) ^ . ^ . Ap^Ai . ^ . Ai^A2 ■ - ^2 ■ ■ • 

mo~times mi— times m2— times 

where . . . ^0 denotes for all i = . . . uq — 1, L{t:i [i]) = ^o- 

riQ — times 

Note that Aq . . . A^ only refers to the first block, for other blocks it is defined in an 

riQ — times 

analogous manner. Accordingly, stutter-equivalence for any two infinite traces pi,p2 G 
(2"^^)" (denoted by pi = P2) can be defined. 

Example L Consider the KS IC in Fig. 2 (left), where S = {sq, si, S2, S3, S4, S5, sg, S7}, 
AP — {a, b} and sq is the initial state. An example finite path tt is sq — > si — > S4 sg. 
Here 7r[3] — sg. The trace for tt is given by traceiji) ~ {a}0{a}{6}. 



Assumptions. Throughout this paper we assume that every state of KS K. has at least 
one predecessor, i.e., pred{s) = {s' G S* | s' — > s} 7^ for any s G 5. This is not 
a restriction, as any KS {S, — >, AP, L, sq) can be transformed into an equivalent KS 
(S", , AP' , L',Sq) which fulfills this condition. This is done by adding a new state 
s to equipped with a self-loop and which has a transition to each state in 5* without 
predecessors. To distinguish this state from the others we set L'{s) = 1. with 1. ^ AP. 
(All other labels, states and transitions remain unaffected.) Let Sq = sq. It follows 
that all states in S" = 5 U {s} have at least one predecessor. Moreover, the reachable 
state space of both KSs coincides. We also assume that the initial state sq of a KS is 
distinguished from all other states by a unique label, say $. This assumption implies 
that for any equivalence that groups equally labeled states, {so} constitutes a separate 
equivalence class. Both assumptions do not affect the basic properties of the KS such 
as linear or branching-time properties. For convenience, we neither show the state s nor 
the label $ in figures. 

3 Kripke Minimization Equivalence 

In this section, we present a technique for the state space minimization of a KS. We first 
define Kripke minimization equivalence (KME) followed by the definition of quotient 
KS under KME. Next to that, the relationship between KME and strong (bi)simulation 
is explored. 

Definition 7 (Predecessor based reacliability). For s e S and C,D C S, the function 
Pbr : 5 X 2'^ X 2'5' ^ {0, 1} is defined as: 



Definition 8 (KME). Equivalence TZ on S is a Kripke minimization equivalence (KME) 
on /C if we have: 

1. V(si, S2) G TZ it holds: L{si) = L{s2) and 

2. VC, D G S/n andVs', s" G pred{C) it holds: Pbr{s' , C, D) = Pbr{s" , C, D) 

States si, S2 are Kripke minimization equivalent, denoted by si * S2, if (si, S2) G 72. 
for some KME TZ. 

Example 2. Consider the KS K, in Fig. 2 (left). Let C ~ {S3, 54, 55} and D — {sr}. 
Then Pbr{si, C, D) = 1, since it is possible to move from si to 57 in two steps via 
S3. Similarly Pbr{s2, C,D) = 1. For KS /C, the equivalence relation induced by the 
partitioning {{sq}, {si}, {52}, {ss, S4, S5}, {se}, {s?}} is a KME. 

Definition 9 (Quotient Kripke structure). For KME relation TZ on fC, the quotient 

Kripke structure K,/ ^ is defined by K,/ ^ = {S/n, , AP, L' , Sg) where: 




otherwise. 



1 if 3s' G Post{s,C) s.t. 
Post{s',D) ^ 



- S/ti is the set of all equivalence classes under TZ, 



- Vc S/n^Slnisdefinedby:C W DijfPbr{s\C,D) = lwheres' G pred{C) 
and C,D e S/n, 

- L' (C) = L{s), where s ^ C and 

- Sq = C where sq G C. 

Example 3. The quotient KS for the Fig. 2 (left) under the KME relation with partition 
{{so}, {si}, {s2}, {s3, S4, S5}, {se}, {57}} is shown in Fig. 2 (right). 




Fig. 2. KS (left) and its quotient /C/^ under a KME (right) 



Definition 10. Any Kripke structure ICand its quotient under KME relation TZare 
-k-equivalent, denoted by /C*/C/.^, if and only if there exists a KME relation TZ* defined 
on the disjoint union S ttJ S/tz such that \fC G S/k, s G C it holds: (s, C) G TZ*. 

Theorem 1. Let K, be a Kripke structure and TZbe a KME on fC. Then K, * fC/ j^. 

Remark 1. Note that KMEs are not unique, i.e., there can be more than one equivalence 
relation that is a KME for any given KS. Intuitively it means that the original KS K, can 
be reduced in different ways. 

Definition 11 (Strong bisimulation). Binary relation TZ on S is a strong bisimulation 
on /C if for any (si, S2) G TZ we have: 

- =L(S2), 

- if s'l G Post{si) then there exists s'2 G Post{s2) with (s'j^, s'2) G TZ, and 

- if s'2 G Post{s2) then there exists s'l G Post{si) with (s'j^, s'2) G TZ. 

States si, S2 are bisimilar, denoted si ^ S2, if (si, S2) G TZfor some strong bisimula- 
tion TZ. 



These conditions require that any two bisimilar states, say si, §2 are equally labeled 
and that every outgoing transition of si must be matched by an outgoing transition of 
S2 and vice versa. Note that the relation ^ is an equivalence relation and is the coarsest 
strong bisimulation. 

Theorem 2. * is strictly coarser than ^. 

This theorem says that state space reduction under KME can potentially be larger than 
for strong bisimulation. 

For strong simulation equivalence, the condition to exhibit identical stepwise behav- 
ior is slightly relaxed. Whenever s' simulates s, state s' can mimic all stepwise behavior 
of s; the reverse is not guaranteed, so state s' may perform transitions that cannot be 
matched by state s. Two Kripke structures AC and K,' are simulation-equivalent if their 
initial states mutually simulate each other. 

Remark!. Consider the two KSs in Fig. 2, here K. and /C/^^ are not strong simulation 
equivalent. To show that KME is strictly coarser than strong simulation equivalence, 
the proof of Thm. 2 can be extended showing that quotient obtained under simulation 
equivalence can be obtained by repeated application of KME. 

Linear-time Properties. We investigate linear-time properties for KSs that are pre- 
served under KME quotienting. We study a more general class of linear-time properties 
that are defined over infinite words, i.e., (2'^^)". These include, e.g., w-regular proper- 
ties. Note that the preservation of w-regular properties implies the preservation of LTL 
formulas. These preservation results can be exploited for model checking by reducing 
the KS models under consideration prior to carrying out the verification. 

Definition 12. A linear-time property (LT property) over the set of atomic propositions 
AP is a subset of (2^^)'^. 

Example 4. An LT property can be used to specify the desired behavior of the system 
under consideration such as: 

- Every time the process tries to send a message, it eventually succeeds in sending it. 

- Whenever the system is down, an alarm should ring until it is up again. 

Definition 13. Let P be an LT property over AP and K, = (S, — AP^ L, sq) a Kripke 
structure. Then K, satisfies P, denoted IC \= P, ijf Traces^ {sq) C P. 

Tfieorem 3. Let K, be a KS and TZbe a KME on IC. Then for any LT property P: 

ic^p^icu^p. 

Intuitively, this theorem says that if a LT property holds for the original Kripke structure, 
it also holds for the quotient and vice versa. In principle this result allows performing 
model checking on the quotient Kripke structure provided that we can obtain this in an 
algorithmic manner. 

Corollary 1. Let IC be a KS and TZbe a KME on IC. Then for any LTL formula ip: 



4 Weak Kripke Minimization Equivalence 



In this section we define weak Kripke minimization equivalence (WKME). WKME is 
a variant of KME that abstracts from stutter steps, also referred to as internal or nonob- 
servable steps. Note that weak equivalence relations are important for system synthesis 
as well as system analysis. To compare KSs that model a given system at different ab- 
straction levels, it is often too demanding to require a statewise equivalence. Instead, 
a state in a KS at a high level of abstraction can be modeled by a sequence of states 
in the more concrete KS. Secondly, by abstracting from internal steps, quotient KSs 
are obtained that may be significantly smaller than the quotient under corresponding 
strong equivalence relation. Interestingly, though, still a rather rich set of properties is 
preserved under such abstractions. 

Definition 14 (Weak predecessor based reacliability). For s £ S and C,D C S, the 

function WPbr : S x 2^ x 2^ ^ {0,1} is defined as: 



where s' s" denotes that s' can reach s" in zero or more stutter steps, i.e., s' — > 



— >■ s" where n > 0. 

Definition 15 (WKME). Equivalence TZ on S is a weak Kripke minimization equiva- 
lence (WKME) on JC if we have: 

1. V(si, S2) G TZ it holds: L{si) — L{s2) and 

2. yC,D e S/n s.t. C D and\/s',s" G pred{C) s.t. s',s" i C it holds: 
WPbr{s', C, D) = WPhr{s", C, D). 

States si, S2 are weak Kripke minimization equivalent, denoted by si S2, if (si , S2) G 
TLfor some WKME U. 

Example 5. Consider the KS K, in Fig. 3 (left). Let C ~ {S3, S4, 55} and D = {se}- 
Then WPbr{si, C, D) ~ 1, since it is possible to move from si to sg in three steps via 
S3, S4 (where S3 — > S4 is a stutter step). Similarly WPbr{s2, C, D) = 1. For KS /C, the 
equivalence relation induced by the partitioning {{sq}, {si}, {52}, {s3, S4, s.s}, {s6}7 { 
S7}} is a WKME relation. 

Definition 16 (Quotient Kripke structure). For WKME relation TZ on K, the quotient 
Kripke structure K,/ ^ is defined by K,/ ^ = {S/iz, , AP, L', Sq) where: 

- S/n is the set of all equivalence classes under TZ, 

>' is defined by: C D, s.t. C ^ D iff W Pbr{s' ,C, D) = 1 where s' G 

pred{C), and C C iff there exists s (1 C s.t. s --^^ s 

- L'(C) = L{s), where s G C and 

- s'q = C where sq G C. 




n— times 



Fig. 3. KS K. (left) and its quotient /C/^ under a WKME (right) 



where s s denotes that s can reach itself in one or more stutter steps. 

Example 6. The quotient KS for the Fig. 3 (left) under the WfCME relation with parti- 
tion {{so}, {si}, {s2}, {53,54,55}, {sq}, {57}} is shown in Fig. 3 (right). 

Definition 17. Any Kripke structure K, and its quotient K,/ ^ under WKME relation TZ 
are Q-equivalent denoted by K. Q ^/^j if and only if there exists a WKME relation TZ* 
defined on disjoint union S tt) S/tz such that \fC £ S / n, s £ C it holds: (s, C) £ TZ*. 

Theorem 4. Let K, be a Kripke structure and TZbe a WKME on K,. Then K. IC/^. 

Remark 3. Note that WKMEs are not unique, i.e., there can be more than one equiva- 
lence relation that is a WKME for any given KS. 

Theorem 5. is strictly coarser than 

Definition 18. Let fCbe a Kripke structure and TZ an equivalence relation on S. 

- s £ S is TZ-divergence-sensitive if there exists an infinite path fragment n ~ s —> Si 
— > S2--- £ Paths{s) s.t. (s, Sj £ TZ) for all j > 0. 

- TZ is divergence-sensitive if for any (si,S2) £ TZ: if si is TZ-divergence-sensitive, 
then S2 is TZ-divergence-sensitive. 

Definition 19. Divergence-sensitive relation TZ on S is a stutter bisimulation on K, if 
for any (si , S2) £TZ we have: 

- L{si) = L{S2), 

- If s[ £ Post{si) with (s']^,S2) ^ TZ, then there exists a finite path fragment 
S2 — > 1*1 — > • • ■ Un — > s'2 with n > and (si, Ui) £ TZ, i = 1, . . . ,n and {s'l, s'2) £ 
TZ, 

- If s'2 £ Post{s2) with (sijSj) ^ TZ> then there exists a finite path fragment 
si — > wi — > . . . w„ — > s'l with n > and (w^, S2) £ TZ, i = 1, . . . ,n and (s'j^, s'2) £ 
TZ. 



States Si and S2 are divergence-sensitive stutter bisimilar, denoted by Si =''™ S2, if 
(si, S2) G Ti-for some divergence-sensitive stutter bisimulation TZ. 

Next, we investigate the relationship between WKME and divergence-sensitive stutter 
bisimulation relation. 

Theorem 6. is strictly coarser than 

This theorem asserts that WKME can achieve larger state space reduction as compared 
to divergence-sensitive stutter bisimulation. 

For divergence-sensitive stutter simulation equivalence 1241 the conditions provided 
in Def. 19 are slightly relaxed. Whenever s' stutter simulates s, state s' can stutter mimic 
all stepwise behavior of s, and if there exists a path tt emanating from state s such that 
all the states on tt are related to state s', then s' has to have some successor s'^ such 
that some state s„ on tt is related to s'^, the reverse is not guaranteed, so state s' may 
perform transitions that cannot be stutter mimicked by state s. Two Kripke structures 
/C and K.' are divergence-sensitive stutter simulation-equivalent if their initial states 
mutually stutter simulate each other according to the conditions given above. 

Remark 4. Consider the two KSs in Fig. 3, here /C and JC are not divergence-sensitive 
stutter simulation equivalent. To show that WKME is strictly coarser than divergence- 
sensitive stutter simulation equivalence, the proof of Thm. 6 can be extended showing 
that quotient obtained under divergence-sensitive stutter simulation equivalence can be 
obtained by repeated application of WKME. 

Stutter-insensitive Linear-time Properties. We investigate stutter-insensitive LT prop- 
erties defined over infinite words for KSs that are preserved under WKME quotienting. 
These include, e.g., stutter-insensitive w-regular properties. Note that the preservation 
of stutter-insensitive a; -regular properties implies the preservation of LTL/q formulas. 

Definition 20. LT property P is stutter-insensitive if for any p ^ P, Vpi s.t. pi = p ^ 

Pi eP. 

Example 7. Consider the stutter-insensitive LT property IfTOl : 

: the number of occurrences of the sub- 
word {p}0 in w is divisible by n}, 

for n > 2. Note that this property cannot be expressed using LTL/q. 

The satisfaction relation for stutter-insensitive LT property P, i.e., /C |= P, is as in Def. 
13. 

Tlieorem 7. Let IC be a KS and TZ be a WKME on JC. Then for any stutter-insensitive 
LT property P: 

Corollary 2. Let IC be a KS and TZbe a WKME on JC. Then for any LTL / q formula ip: 



/C 1= <y9 IC/ ^ \= ip. 



5 Synchronous Parallel Composition 



In this section we show that KME is compositional w.r.t. synchronous parallel compo- 
sition (SCCS-like parallel composition [23J) of KSs. This result is useful for analyzing 
synchronous distributed algorithms and synchronous hardware circuits where processes 
progress in a lock-step fashion. For example say we want to compose a large KS ICi 
with another KS IC2 and these KSs have n and m states respectively. Then the resulting 
KS ICi (g) IC2 will have m ■ n states so it is worthwhile to compute this composition using 
a smaller KS /C' Kripke minimization equivalent to /Ci . Synchronous parallel composi- 
tion is also at the heart of Lustre [[161 . a declarative programming language for reactive 
systems, and is used in many other hardware-oriented languages. 

Definition 21. ^LetJCi = ^1, APi, Li, sqi) one/ /C2 = (53,^2,^^2,^2,502) 
be two Kripke structures. We say s — ?> is' if (s, s') ^^ifor i = 1,2. The synchronous 
parallel composition of two Kripke structures is K-i ® IC2 = {Si x 6*2,— >,APi U 
AP2, L, (sqi, S02)), where (sqi, 502) is the initial state, L((si, S2)) — L{si) U L{s2), 
and — !► is given as follows: 

Si — > is'^ A S2 — > 2S2 
(S1,S2) -> (si,S^) 

Theorem 8. Let K, be a KS and TZbe a KME on K,. Then for any Kripke structure ICi: 

(/C(8)/Ci)*(/C/^®/Ci). 

6 Conclusions and Future Work 

We have presented two equivalence relations, Kripke minimization equivalence (KME) 
and weak Kripke minimization equivalence (WKME) on KSs. We defined the quotient 
system under these relations and proved that these relations are coarser than strong 
(bi)simulation and divergence-sensitive stutter (bi)simulation, respectively. Preserva- 
tion results for EI properties and stutter-insensitive LT properties have been established 
under KME and WKME quotienting. Finally we show that KME is compositional w.rt. 
synchronous parallel composition. 

Developing and implementing an efficient quotienting algorithm is left for future 
work. Note that any algorithm that generates a quotient system under (weak) KME can 
potentially achieve a state space reduction that is larger than (stutter) (bi)simulation, but 
it cannot guarantee the smallest quotient system that is (stutter) trace equivalent to the 
original one. 
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